In the context of a privilege escalation, the attacker tries to gain more rights on the target system. Such privilege escalation may be necessary to load additional malware or start other processes for which the ordinary user has no rights. In a recent case, an attacker can gain admin rights via a mouse’s configuration software.
Privilege Escalation – Breaking out of the user profile
There are several phases in a cyber attack, including those depicted in the Cyber Kill Chain. However, the seven steps of the Cyber Kill Chain shown do not include privilege escalation. Temporally, privilege escalation is in step four of the Cyber Kill Chain. The implementation of privilege escalation is usually based on exploiting a vulnerability that enables privilege escalation. Such a vulnerability must be exploited for the attacker to gain system privileges and cause further damage.
The privilege escalation is necessary in many attack scenarios because the user through whom the malware is installed, for example. by a phishing email, usually does not have system privileges, but only a customized user profile. These customized user profiles have only the rights that are necessary for the user’s everyday work. Therefore, an attacker often cannot use such profiles to inject malware or connect to a command and control server.
Rights extension via installation processes
Technically, the attacker is trying to cling on a process that has the necessary privileges that the attacker needs. Such processes could consist of installation or update processes, as they have the necessary rights to download data from external sources.
However, privilege escalation is not only possible remotely, but also on-site. If an attacker has access to an employee’s computer, he can try to install malware there. If the user profile does not have the necessary privileges to install the malware, the attacker must perform a privilege escalation on the spot. This can be done with hacking hardware such as. the Rubber Ducky, or other devices can be tried.
A recent example of Privilege Escalation being possible via a mouse has occurred with Razer mouse and keyboards.
Razer devices for privilege escalation
To gain system privileges on a foreign Windows 10 computer, an attacker only needs a Razer device and access to a user profile on that device. An attack scenario could be that the attacker poses as a handyman in a large company and looks for unlocked work PCs. As soon as an employee leaves his workplace but does not lock his computer, the attacker can start with privilege escalation.
A vulnerability in the Synapse software, which is automatically installed after an initial connection of a Razer device, allows the attacker to gain system privileges. An IT security researcher has even managed to reproduce this attack with an Android smartphone by making the smartphone pretend to be a Razer device.
Thus, the Twitter user shows that an attacker can already exercise privilege escalation with an inconspicuous-looking smartphone. The Razer company is aware of this vulnerability and is working on a security update at the time of writing this post.
This attack is only possible if a user leaves his workstation unlocked or gives strangers access to his own PC. These attack scenarios are easily prevented by reminding employees to lock their computers when they leave the workplace.